Microprocessor system for safety-critical control systems

ABSTRACT

A microprocessor system intended for safety-critical control systems includes two synchronously operated central units ( 1, 2 ) which receive the same input data and process the same program, in addition, read-only memories ( 5, 10 ) and random-access memories ( 6, 11 ) for useful data and test data, and comparators ( 18, 19 ) which check the output signals of the central units ( 1, 2 ) and issue disconnecting signals in the event of non-correlation. The central units ( 1, 2 ) are connected to the memories and the input and output units by way of separate bus systems ( 3, 4 ) and coupled by driver stages ( 15, 16, 17 ) which enable the central units ( 1, 2 ) to jointly read and process the data available in the two bus systems ( 3, 4 ). 
     A microprocessor system intended for safety-critical control systems includes two synchronously operated central units which receive the same input data and process the same program, in addition, read-only memories and random-access memories for useful data and test data, and comparators which check the output signals of the central units and issue disconnecting signals in the event of non-correlation. The central units are connected to the memories and the input and output units by way of separate bus systems and coupled by driver stages which enable the central units to jointly read and process the data available in the two bus systems.

BACKGROUND OF THE INVENTION

The present invention relates to a microprocessor system forsafety-critical control systems, including two synchronously operatedcentral units or CPUs which receive the same input data and process thesame program, equipped with read-only memories (ROM) and random-accessmemories (RAM), and memory locations for test data and test datagenerators, and also including comparators which check the output dataof the central units and issue disconnecting signals in the event ofnon-correlation.

Safety-critical control systems are, for example, automotive vehiclecontrol systems which intervene into braking operations. Among thesecontrol systems, especially wheel-lock control systems or anti-locksystems (ABS) and traction slip control systems (TCS, etc.) are veryimportant and available on the market in many versions. Drivingstability control systems (DSC, ASMS), suspension control systems, etc.,are also critical in terms of safety because they are based on brakemanagement, and their malfunction may impair the driving stability ofthe vehicle in other ways. Therefore, it is imperative to constantlymonitor the operability of such systems in order to disconnect thecontrol when an error occurs, or to switch the control over in acondition which jeopardizes safety less.

German patent No. 32 34 637 discloses an example of a circuitarrangement or a microprocessor system for controlling and monitoring ananti-lock vehicle brake system. In this patent, the input data are sentin parallel to two identically programmed microcomputers where they areprocessed synchronously. The output signals and intermediate signals ofthe two microcomputers are checked for correlation by redundantcomparators. In the event of non-correlation of the signals,disconnection of the control is effected by a circuit which also has aredundant design. In this known circuit, one of the two microcomputersis used to produce braking pressure control signals, while the other oneis used to produce the test signals. Thus, two complete microcomputers,including the associated read-only memories and random-access memories,are required in the symmetrically designed microprocessor system.

In another prior art system, based on which the circuit described inGerman patent application No. 41 37 124 is configured, the input dataare also sent in parallel to two microcomputers, only one of which,however, performs the complete complicated signal processing operation.The second microcomputer is mainly used for monitoring, so that theinput signals, after being conditioned and time derivatives beingproduced, etc., can be further processed by way of simplified controlalgorithms and a simplified control philosophy. The simplified dataprocessing is sufficient to produce signals which permit indications ofthe proper operation of the system by comparison with the signalsprocessed in the more sophisticated microcomputer. The use of a testmicrocomputer of a reduced capacity permits diminishing the expenditurein manufacture compared to a system having two complete, sophisticatedmicrocomputers of identical capacity.

German patent application No. 43 41 082 also discloses a microprocessorsystem of the previously mentioned type. However, the system isespecially intended for use in the control system of an anti-lock brakesystem. The prior art microprocessor system, which can be mounted on onesingle chip, includes two central units, or CPUs, in which the inputdata are processed in parallel. The read-only memories and therandom-access memories, to which both central units are connected,comprise additional memory locations for test data, each having agenerator to produce test data. The output signals of one of the twocentral units are further processed for producing the control signals,and the other central unit, i.e. the ‘passive’ one, is only used tomonitor the ‘active’ central unit. The expenditure in manufacture isconsiderably reduced, without deteriorating the error detection ability,by eliminating the need for a double provision of the memories in thissystem and by accepting a relatively small extension of the memories tostore the test data.

Also, an object of the present invention is to develop a microprocessorsystem which detects and signals malfunctions of the system with theextremely high degree of probability and reliability which is requiredfor safety-critical applications. Additionally, a comparatively lowexpenditure in manufacture should be sufficient for a microprocessorsystem of this type.

SUMMARY OF THE INVENTION

It has been found that this object can be achieved by a system in whichthe central units, or CPUs, are connected to the read-only memories andthe random-access memories and to input and output units by way ofseparate bus systems, and that the bus systems are connected or coupledone to the other by driver stages which enable both central units tojointly read and process the data, including the test data and commands,present or available in the two bus systems. The input and output dataof the two central units, including the test data and commands, presenton the two bus systems, are checked for correlation by the comparator(s)of the system of the present invention.

The microprocessor system of the present invention is based on the useof two equal, fully redundantly operated processor cores or centralunits which together process redundantly the data supplied by way of twoseparate bus systems. Subsequently, the input and output signals of bothcentral units are compared for correlation by way of a simple hardwarecomparator to which a second comparator is connected in parallel forreasons of safety. The memories of the system of the present inventionare provided only one time. There are only provided additional memorylocations for test data existing in the form of parity bits, forexample.

In a preferred aspect of the present invention, a completemicroprocessor comprising a central unit, read-only and random-accessmemories, input and output stage, is connected to one of the two bussystems. The second bus system, instead of the read-only andrandom-access memories, is directly connected only to correspondingmemory locations for test data. The driver stages coupling the two bussystems, however, enable both central units to read all necessary datafurnished by the useful data memories, the test data memories and theinput stages. The microprocessor system of the present invention isthereby given a particularly straightforward structure which favorsaccommodating all components on one single chip.

Further features, advantages and possible applications can be seen inthe following description of an embodiment making reference to theaccompanying drawing.

BRIEF DESCRIPTION OF THE DRAWING

The only drawing, in a schematically simplified view, illustrates themost important components of a microprocessor system of the presentinvention.

DETAILED DESCRIPTION OF THE DRAWING

The attached drawing serves to explain the principal design andoperation of a microprocessor system of the present invention. Asingle-chip microcomputer system is shown in this example which includestwo synchronously operated central units 1, 2 which are also termed ascomputer or processor cores, or as CPUs, and separate bus systems 3, 4(bus 1, bus 2). The common clock for both central units 1, 2 is suppliedthrough the connection cl (common clock). The central unit 1 issupplemented to a complete microcomputer MC1 by a read-only memory 5(ROM), a random-access memory 6 (RAM), input stages 7, 8 (periphery 1,port 1), and by an output stage 9. In contrast thereto, only test datamemories 10, 11 and input stages 12, 13 and one output stage 14 areconnected to the second bus system 4 (bus 2) beside the central unit 2.The test data memory locations for the data in the read-only memory 5are incorporated in the memory 10, and the test data for therandom-access memory 6 are incorporated in the memory 11. These elementsare comprised in a ‘lean’ microcomputer MC2.

Further, what is essential to the present invention, the two bus systems3, 4 (bus 1, bus 2) are coupled by driver stages 15, 16, 17 which permitjoint reading of the incoming data by the two central units 1, 2. Thestages 15 to 17 are drivers (or ‘buffers’ with an enable function). Thedirections of transmission of the drivers 15 to 17 are represented by anarrow. The driver 15 is used to transmit the data which are disposed onthe bus system 3 (bus 1) to the central unit 2. The driver 16 is used totransmit the test data from the test data memories 10, 11 to the centralunit 1, and the driver 17 is used to transmit the data from the inputstages 12, 13 of the second bus system 4 (bus 2) to the central unit 1.

Each bus system 3, 4 comprises a control bus ‘C’, a data bus ‘D’ and anaddress bus ‘A’. The data bus also includes the test data ‘p’. The inputand output data of the central units which are checked for correlationin a hardware comparator 18 and an equal comparator 19 which is arrangedon the same chip as the comparator 18, spatially separated from it, arereferred to as ‘CdpA’.

In contrast to known systems, the microprocessor system of the presentinvention does not permit making a distinction between an active and apassive processor. The two processor cores or central units 1, 2 areequally entitled rather. They process fully redundantly the jointly readdata which also comprise the test or redundancy data and the controlcommands. The input and output signals of the processors 1, 2 arechecked for correlation and sent to a represented valve actuationcontrol 20 by way of the associated bus systems 3, 4 and the outputunits 9, 14. The operation of the valve actuation control is as follows:

Both central units 1, 2 supply identical output signals to the outputunits 9, 14 via the bus systems 3, 4. An inverter 22 is interposed inthe conduit to one of the two output units, i.e. in the conduit to theoutput unit 14 in this case. The valve actuation control 20 is connectedby way of a serial bus 21. Two output shift registers 22, 23 areprovided in this embodiment. The data are sent to the second shiftregister 22 in an inverted fashion in order to prevent short circuitsamong the processors. The data stored in the shift registers 22, 23 arechecked for correlation by way of an AND-gate 24 with an invertinginput. If the AND-condition which monitors the gate 24 is not satisfied,a switch 26 in the power supply for the actuated valves or actuators 25will be opened. This causes disconnection of the actuator actuationbecause an error is present.

The shift registers 22, 23 are component parts of the output stages 9,14. Thus, the correlation of the output signals is monitored once more,in this case externally, irrespective of the comparators 18, 19. In acase of malfunction, this causes interruption of the actuation of thevalves 25 irrespective of the operation of the central units 1, 2.

According to the present invention, the central unit (which alsocomprises the entire arithmetic unit and the sequence control) isprovided twice to protect the calculating results and the correctprocessing of the programs. The data bus is extended by a generator forthe test data or for redundancy information, for parity bits, forexample. The output signals of the two central units are conducted tothe hardware comparators (18, 19) for a checking operation. Thecomparators check the identity of the signals, including the testsignals, and cause a system DISCONNECTION when the synchronousprocessing of the programs by the redundant central units have differentresults.

The output signals of both central units are equally entitled, i.e., anactuation of memory units (RAM, ROM) or the ‘periphery’ can be effectedby one of the two central units.

In an automotive vehicle control system, the wheel sensors, for example,whose output signals are the most important input quantities of thecontrol system, can be connected by way of the input units 7, 12 whichare referred to as periphery 1 and periphery 2 in the drawing. It ispossible to distribute the sensor signals delivered (as shown) on thetwo bus systems 3, 4. The signal delivery may also be designedredundantly, i.e., by connecting all sensor signals to both bus systems3, 4.

The same applies to the data introduced by way of the input stages 8, 13(port 1, port 2). The brake light switch and other sensors, for example,are connected by way of these input stages in a controlled brake system.

An important feature of the present invention is that—in spite of thecomprehensive redundancy and ‘protection’ of the data processingoperation—the expenditure in memories is relatively small. As has beenexplained hereinabove, the read-only and random-access memories areprovided for only one of the two microcomputers (MC1). The secondmicrocomputer (MC2) incorporates only memory locations (10, 11) for testdata. The driver stages 15, 16, 17 coupling both bus systems ensure thatthe stored useful data and test data are available to both central unitsin the data-processing operation.

Different from the embodiment shown, the memory locations of thememories 5, 6, 10, 11 can be distributed completely differently on thetwo bus systems 3, 4 or microcomputers MC1, MC2. The memory locationrequired in total is not increased thereby.

The test data or parity bits are taken into account for theidentification of errors when reading and writing the data stored andrequiring being stored. With respect to each memory cell of theread-only memory and the random-access memory, the redundancyinformation is stored under the same address in the memories 10, 11 ofthe second microprocessor MC2 which has only memory locations for thetest data. The test or redundancy information for the read-only memoryhas already been defined during programming. The test or redundancyinformation in the random-access memories is generated during thewriting operation. Similar to the reading operation of the data andcommands, the test or redundancy information is transmitted by way ofthe driver stage 16 which couples the two bus systems 3, 4. In thewriting access, the data to be written are extended by a redundancyinformation stored along with the data. In a reading access, the dataand the redundancy information read back are checked for correctness bythe comparators 18, 19.

Where the objective is to record and process the input data redundantlyfor safety reasons, the input stages (7, 8, 12, 13) have a doubledesign. These stages may be arranged partly in the address space of theone central unit and that of the other central unit. Therefore, theperiphery elements are uncoupled exactly as in a symmetricmicroprocessor system.

The output signals, in particular the actuating signals for the valveactuation control 20, which comprise doubly designed output stages canalso be partly arranged in the address space of the one central unit orthat of the other central unit. Consequently, output periphery elementsare uncoupled as in a fully symmetric concept.

To identify errors in the transmission of data by way of the bus system,the bus system is provided redundantly in the form of the bus systems 3and 4 (bus 1, bus 4). The signals issued by the two central units 1, 2and applied to the bus systems are checked for correlation by thecomparators 18, 19.

When parity generators are used to produce the test data or redundancydata, two generators are required in the system of the presentinvention, which can be accommodated in the central units 1, 2 or in thecomparators 18, 19, for example. In a writing access to the additionalmemory locations which are available for the random-access memory(memory 11), the data generated in the central unit 2 by the redundancygenerator is memorized. In a reading access to the additional memorylocations for the test data in the read-only memory or random-accessmemory, the information generated by the redundancy generator iscompared with the read redundancy information for correlation.

Appropriate redundancy generators may be realized, for example, in aknown manner by way of exclusive OR-gates.

What is claimed is:
 1. A microprocessor system for safety-criticalcontrol systems comprising: two synchronously operated central unitswhich receive identical input data and process identical programs,read-only memory and random-access memory for storing test data, testdata generators, comparators that compare output data or output signalsof the central units and issue disconnecting signals in the event ofnon-correlation, wherein the central units each are connected to theread-only memory and the random-access memory and to input and outputunits by way of a separate bus system, and wherein said separate bussystems are connected to one another by driver stages which enable bothcentral units to jointly read and process the data, including test dataand commands, transmitted in the two bus systems.
 2. The microprocessorsystem as claimed in claim 1, wherein the comparators check input andoutput data of the two central units, including the test data andcommands, available in the two bus systems, for correlation.
 3. Themicroprocessor system as claimed in claim 1, wherein the read-onlymemory and the random-access memory are distributed on memory connectedto the two bus systems.
 4. The microprocessor system as claimed in claim3, wherein the read-only memory and the random-access memory areconnected to one bus system, and the associated test data memory isconnected to the other bus system.
 5. The microprocessor system asclaimed in claim 1, wherein at least the two central units, theread-only and random access memory, and wherein the driver stages, andsaid comparators are arranged on one single chip.
 6. The microprocessorsystem as claimed in claim 1, wherein each of the two bus systemscomprises a data and test information bus, an address bus and a controlbus.
 7. The microprocessor system as claimed in claim 1, wherein thesignals or data of the two central units in the two bus systems, aresent to two parallel connected hardware comparators which are arrangedwithin one chip, spatially separated from each other.
 8. Themicroprocessor system as claimed in claim 1, further including anexternal comparator for connecting actuators or valves to the system. 9.The microprocessor system as claimed in 8, wherein the externalcomparator has output shift registers, of which one register receivesoutput data in an inverted manner, wherein data stored in the two shiftregisters are compared by way of an AND-gate which has an inverted inputand generates an output signal which keeps a switch closed in a powersupply supplying the actuators or valves.